Stats
Actions
Tags
Audits IAM policies, RBAC, ACLs, file permissions, and API authorization for vulnerabilities, privilege escalation paths, and least privilege violations.
How this skill is triggered — by the user, by Claude, or both
Slash command
/access-control-auditor:auditing-access-controlThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Audit access control implementations across codebases, cloud configurations, and
Audit access control implementations across codebases, cloud configurations, and application layers for security vulnerabilities and policy violations. This skill targets IAM policies, ACLs, RBAC configurations, file permissions, and API authorization logic to identify privilege escalation paths, overly permissive grants, and violations of the principle of least privilege.
${CLAUDE_SKILL_DIR}/grep, find, and standard shell utilities available via Bashaws iam, gcloud, or az role installed and authenticated${CLAUDE_SKILL_DIR}/references/README.md for IAM best practices, ACL vulnerability patterns, and NIST/GDPR access control standards.htaccess or equivalent files using Glob and Grep.*), overly broad resource scopes, or administrative access granted to non-admin roles.| Error | Cause | Solution |
|---|---|---|
| Permission denied reading config files | Insufficient filesystem access | Run with elevated permissions or request read access to the target directory |
| IAM CLI command not found | Cloud CLI tools not installed | Install aws-cli, gcloud, or az and authenticate before running cloud audits |
| Empty role/permission scan results | Incorrect glob patterns for the framework | Adjust search patterns to match the target framework (e.g., @Roles() for NestJS, [Authorize] for .NET) |
| Timeout scanning large codebases | Too many files in scope | Narrow the scan scope with --exclude patterns for node_modules, vendor, or dist directories |
| Inconsistent policy format | Mixed IAM policy versions or formats | Normalize policies to a single format before analysis; flag format inconsistencies in the report |
Scan route definitions in ${CLAUDE_SKILL_DIR}/src/routes/ for missing authorization
middleware. Grep for router.post, router.put, router.delete and verify
each has a corresponding authMiddleware or requireRole() call. Flag any
state-changing endpoint lacking authorization as CWE-862 (Missing Authorization),
severity high.
Parse all JSON policy files in ${CLAUDE_SKILL_DIR}/infra/iam/. Flag policies containing
"Effect": "Allow" with "Resource": "*" or "Action": "*" as CWE-269
(Improper Privilege Management), severity critical. Recommend scoping to specific
ARNs and actions per the principle of least privilege.
Analyze role definitions in ${CLAUDE_SKILL_DIR}/config/roles.yaml. Build a permission
matrix, identify roles with overlapping admin-level privileges, and flag any role
that can both create and approve its own resources as a separation-of-duties
violation (NIST AC-5), severity medium.
npx claudepluginhub jeremylongshore/claude-code-plugins-plus-skills --plugin access-control-auditorConducts security audits for DevSecOps, reviews SDLC controls, CI/CD pipelines, threat models, vulnerabilities, authentication, authorization, and compliance frameworks.
Conducts thorough security audits covering DevSecOps, application security, and compliance. Analyzes architecture, threat models, and data flows for vulnerabilities.
Detects missing ownership checks, broken role enforcement, and IDOR vulnerabilities in authorization code. Use when implementing access control middleware or resource ownership checks.